G Suite Security & Privacy

Google is committed to the security and privacy of your organization's data

Google security: Raising the bar

Google was born in the cloud and we run on the cloud, so it's no surprise
that our infrastructure is even more secure than most traditional
solutions. With G Suite, you can harness all the benefits of the strong
security we rely on every day. The robustness of our world-scale
infrastructure, along with over 650 security professionals, and our drive
to innovate, enables Google to stay ahead of the curve in security and
offer the safest data protection environment for your organization.

Google uses custom-built servers and network equipment that we design
ourselves. Unlike most commercially available hardware, Google servers
don’t have unnecessary components that can introduce vulnerabilities. This
standardized environment is continually monitored for binary modifications.
If a modification deviates from the standard Google server image, the
system is automatically returned to its official state.

Google’s vast network of data centers is connected by our own network,
consisting of our own fiber, public fiber, and undersea cables. This allows
us to deliver highly available, low-latency services across the globe.

Core customer data handled in G Suite is encrypted while at rest. Data in transit is also
encrypted so that your information is protected as it travels over the
Internet to or from Google’s servers or moves within Google from one data
center to another.

Google's collaborative security culture

At Google, all employees are required to think "security-first." From
hiring and onboarding to required training and events, we continually raise
awareness and encourage vigilance. Google employs more than 650 full-time
security and privacy professionals. Our team includes some of the world’s
foremost experts in information, application, and network security.

To supplement the expertise of our employees, we have long enjoyed a close
relationship with the security research community. Researchers regularly
help identify vulnerabilities in G Suite and other Google products. Our
Vulnerability Reward Program encourages researchers to report
design and implementation issues that may put customer data at risk, and we
offer substantial rewards for these contributions. We publicly thank these individuals and list them as contributors
to our products and services.

Our security team also takes part in research and outreach activities to protect the wider
community of Internet users, beyond just those who choose Google solutions.
For example, our Project Zero team of security analysts finds zero-day
exploits, not just in Google products but in all software used by our
users.

To ensure Google remains secure, we incorporate security into our entire
software development process. This can range from security professionals
analyzing proposed architectures, to reviewing code for security
vulnerabilities in order to understand the different attack models for a
new product or feature.

Transparency and control

We’re committed to providing customers with the information they need about
our systems and processes — whether that's a real-time performance
overview; the results of a data handling audit; or the location of our data
centers. It’s your data; we ensure you have control over it. You can delete
your data or export it at any time.

We regularly publish Transparency Reports detailing how governments and
other parties can affect your security and privacy online. We think you
deserve to know, and we have a long track record of keeping you informed
and standing up for your rights.

Product security highlights

G Suite offers administrators extensive control over system configuration
and application settings—all integrated into a dashboard that includes many
easy-to-use security features. This section summarizes several of these
features; for details, see the G Suite Security and Compliance Whitepaper.

Data Loss Prevention (DLP)

G Suite administrators can set up a DLP policy to protect sensitive
information. A library of predefined content detectors is provided to make
setup easy. Once the DLP policy is in place, for example, Gmail can
automatically check all outgoing email and take action: either quarantine
the email for review, tell users to modify the information, or block the
email from being sent and notify the sender. These checks apply not only to
text, but also to content within common attachment types. Learn more in our
DLP whitepaper.

2-step verification and Security Key

2-step verification greatly reduces the risk of unauthorized access by
asking users for additional proof of identity when signing in. Our Security Key feature offers another layer of security for
user accounts, by requiring a physical key. The key sends an encrypted
signature rather than a code, helping to guard against phishing. G Suite
administrators can easily deploy, monitor, and manage the Security Key at
scale from within the Admin console — with no additional software to
install.

G Suite identity services (IDaaS)

With the G Suite single sign-on service (SSO), customers can use one set of
credentials to access multiple apps. Google products support SAML 2.0
(Security Assertion Markup Language) for more than 15 popular software as a
service (SaaS) identity providers. Users can discover and connect with more
than 1,000 SAML 2.0 and OpenID Connect (OIDC) apps through the G Suite Marketplace.

Information Rights Management (IRM)

To help admins maintain control over sensitive data, we offer Information
Rights Management in Google Drive. Administrators and users can disable
downloading, printing, and copying from the advanced sharing menu.

The G Suite Admin console helps you manage your users' Android, iOS,
Windows, and Blackberry devices. With MDM, you can enforce device policies
throughout your organization and perform other security-related actions,
such as remote wiping.

Suspicious login monitoring

Google uses its robust machine learning capabilities to help detect
suspicious logins. When we discover a suspicious login, we notify admins so
they can work to ensure the accounts are secured.

Spam filters and malware detection

Google has one of the best spam filters available. We use machine learning
to detect and block even the most advanced types of spam. Less than 0.1% of
email in the average Gmail inbox is spam, and incorrect filtering of mail
to the spam folder is even less likely (under 0.05%).

To help prevent malware, Google automatically scans every attachment for
viruses prior to a user downloading it. Gmail even checks for viruses in
attachments queued for dispatch. This helps to protect everyone who uses
Gmail, and prevents the spread of viruses.

No advertising in G Suite

There is no advertising in G Suite Services, period. Google does not collect, scan, or
use data from the core services for advertising purposes.

Only a small number of Google employees have access to customer data, and
those who do are subject to comprehensive monitoring and
logging. Access rights and levels are based on employee job function
and role; we use the concepts of least privilege and need-to-know to match
access privileges to defined responsibilities.

Law enforcement data requests

Google may receive direct requests from governments and courts around the
world for customer data. The customer, as the data owner, is primarily
responsible for responding to law enforcement data requests. Respecting the
privacy and security of the data you store with Google remains our priority
as we comply with these legal requests. Detailed information about data
requests and Google’s response to them is available in our Transparency Report. It is Google’s policy to notify
customers about requests for their data, unless specifically prohibited by
law or court order.

Customer administrator roles

Customers can assign a variety of internal administrative roles and
privileges to manage their users. This role-based access control in G Suite
protects privacy by allowing individual team members to manage certain
services or perform specific administrative functions without gaining
access to all settings and data.

EU Data Protection

G Suite has a broad customer base in Europe. Google provides product
capabilities and contractual commitments to enable and facilitate our
customers’ compliance with EU Data Protection requirements, and follows the
recommendations provided by the Article 29 Working Party (an independent
European advisory body focused on data protection).

Model contract clauses

The European Commission has approved a set of model contract clauses as a
means to ensure adequate safeguards for the transfer of personal data to
processors established outside the European Economic Area. The Article 29
Working Party has provided further guidance on how to meet European data
protection requirements when engaging with cloud computing providers, in
the form of additional model contract clauses. Google provides EU Model Contract
Clauses that reflect the requirements and guidance provided by these
European data protection bodies.

Data Processing Amendment

To help G Suite customers address data protection and compliance
regulations, we offer a Data Processing
Amendment that describes our specific data protection commitments for
your G Suite information. You can access the data processing amendment from
the Admin console.